20

We’ve been planning for a long time to introduce securityContext: runAsNonRoot: true as a requirement to our pod configurations for a while now.

Testing this today I’ve learnt that since v1.8.4 (I think) you also have to specify a particular UID for the user running the container, e.g runAsUser: 333.

This means we not only have to tell developers to ensure their containers don’t run as root, but also specify a specific UID that they should run as, which makes this significantly more problematic for us to introduce.

Have I understood this correctly? What are others doing in this area? To leverage runAsNonRoot is it now required that Docker containers run with a specific and known UID?

Andy Hume
  • 40,474
  • 10
  • 47
  • 58
  • 3
    Good practice is to define a `USER` in the Dockerfile and also consider using https://kubernetes.io/docs/concepts/policy/pod-security-policy/ to enforce the security context. – Michael Hausenblas Jul 26 '18 at 17:46
  • 2
    And the `USER` needs to have a numeric value to avoid running into CreateContainerConfigError: Error: container has runAsNonRoot and image has non-numeric user (username), cannot verify user is non-root. – straville Jun 14 '19 at 13:15

2 Answers2

15

The Kubernetes Pod SecurityContext provides two options runAsNonRoot and runAsUser to enforce non root users. You can use both options separate from each other because they test for different configurations.

When you set runAsNonRoot: true you require that the container will run with a user with any UID other than 0. No matter which UID your user has.
When you set runAsUser: 333 you require that the container will run with a user with UID 333.

logan rakai
  • 2,519
  • 2
  • 15
  • 24
Lukas Eichler
  • 5,689
  • 1
  • 24
  • 43
  • 1
    "When you set runAsNonRoot: true you require that the container will run with a user with any UID other than 0. " This is the part that doesn't work in my tests, post v1.8.x. I get the error, "container has runAsNonRoot and image has non-numeric user ''" – Andy Hume Jul 27 '18 at 08:46
  • 1
    You literally have to specify a numeric user in the Dockerfile, like `USER 1001` – peedee Jul 04 '19 at 19:41
1

What are others doing in this area?

We are using runAsUser in situations where we don't want root to be used. Granted, those situations are not that frequent as you might think, since philosophy of deployment of 'processes' as separated pod's containers inside kubernetes cluster architecture differs from traditional compound monolithic deployment on single host where security implications of breach are quite different...

Most of our local development is done either on minicube or docker edge with k8s manifests so setup is as close as possible to our deployment cluster (apart from obvious limits). With that said, we don't have issues with user id allocation since initialization of persistent volume is not done externally so all file user/group ownership is done within pods with proper file permissions. On very rare occasions that docker is used for development, developer is instructed to set appropriate permissions manually across mounted volumes but that rare happens.

Const
  • 6,237
  • 3
  • 22
  • 27